I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.

Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.

In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.

While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):

1) The Dialog box marks "Open with wine" as default,

2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.

3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.

All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.

(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)

I don't know what the right solution is here, but I would personally like to see some serious review go into the default MIME types and helper applications. This is the reason that I am reporting the bug here rather than upstream. Mozilla Firefox has no control over the defaults that the Distro provides, and the simplest solution for now is to change the default mime handlers so that you don't end up with "open with wine" as a default anywhere.

Also, while this isn't productive to this specific discussion and I am merely preaching to the choir, I would like a GUI that allows normal users to see the *full* list of file extensions and their associated programs, so that you can make conscious decisions about file types rather than only relying on defaults. I'm talking about Edit->Preferences->Applications, but instead of only a select few of them, a list that shows *all* application handlers on the system, and allows adding/removing entries, kind of like the "Folder Options" screen that Windows has (though I'm not saying to copy their overly complicated registry).

If not this, I would at least like to see a "Change the default" option that isn't sometimes mysteriously greyed out. Again, it isn't Ubuntu's place to add such a feature, so this might be worth reporting to upstream.

I would argue this is a GNOME bug - we should have a generic warning interception dialog for when you try to execute unsandboxed code downloaded from the Internet. IIRC there was some sort of attempt at this somewhere (nautilus?). Needs investigation.

I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.

Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.

In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.

While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):

1) The Dialog box marks "Open with wine" as default,

2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.

3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.

All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.

(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)

Just a note: The screenshot shows a greyed out OK button. It just looks that way because of the theme and the fact that the window is not focused. Upon clicking on the window the button is clickable.

Also, the site in question pops up a bunch of annoying alert boxes, so it is possible that an unsuspecting user with a fast keyboard repeat rate who hits the enter key to close them can may be able to launch the executable by mistake (the only indication may be that the Download Manager will open up). I have not tried it since I don't want to compromise my machine, and I do suspect the mozilla devs have already thought of this scenario--maybe by detecting if the key is already held down. But if not, this is yet another way that a user could be tricked into clicking OK.

Agreeing with the ability to change running .exe's default, but there is nothing smart you can do about the rest. Annoying 'are you sure you want to run this?' dialogs are doubtly effective - if you want protection, install an anti-virus.

Created an attachment (id=20846)
Reduce .desktop file to application/x-msdos-executable and application/x-msi

Our desktop file is too greedy. I think I wrote it a while back off a list of every possible mime type a .exe file can have from somewhere on the internet; this resulted in entries like x-zip-compressed and x-executable. This results in the side effect that Wine now tries to open shell scripts and zip files on many systems.

On modern systems we can rely on shared-mime-info to correctly identify executables as application/x-msdos-executable, so we only need that MIME type for .exe.

So, I suggest we reduce our .desktop file to two mime types: application/x-msdos-executable and application/x-msi. The attached patch fixes this.

This still leaves the possibility of not opening .com, .bat, or similar files, however that's already broken and is a bug in shared-mime-info to be fixed there. Moreover, there's a slight chance of the reverse possibility - a .exe file that isn't a Wine executable file. I don't think that's our bug either though - again a problem in shared-mime-info.

Colin, how is this a gnome bug? All the app handling and mime code is kind of redone on mozilla side atm. At some point we might have the system application chooser for gnome integrated in firefox; at that point it would probably become a gnome bug, but not for now.

What I'm saying is that if GNOME provided some facility for applications to check whether a file was downloaded from the internet, and pop up a warning dialog, it could be reused not only in Firefox but also in say Empathy/Pidgin file transfers.

I know Firefox does application handling manually now, but there's not a reason that can't be changed.